FACTORING POLYNOMIALS OVER GLOBAL FIELDS 



KARIM BELABAS, MARK VAN HOEIJ 1 , JURGEN KLUNERS, AND ALLAN STEEL 

Abstract. Let A" be a global field and / £ K[X] be a polynomial. We present 
an efficient algorithm which factors / in polynomial time. 
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1. Introduction 

Let K be a global field. The goal of this paper is to present a practical algorithm 
which factors polynomials / 6 if [^"] in polynomial time, in particular for the cases 
K = Q and K = ¥ q (t). The seminal Zassenhaus |Zas69j method to factor in K[X] 
is as follows: we may assume that / is separable, integral and monic. First, compute 
a bound for the factors of /, then find a non-archimedean place v of K such that 
the reduction / of / modulo v remains separable in k[X] where k is the residue 
field of v. Since k is finite we can factor / in k[X] using well known algorithms. 

Let K v the completion of K at v. Let O v , resp. O be the maximal order of K v , 
resp. K. If K = Q then v is a prime number, K v the w-adic numbers, O v the w-adic 
integers, O = Z and k = Z/tiZ. 

If if = F 9 (t) then O = F 9 [t] and we will choose a finite place v, which corresponds 
to choosing an irreducible polynomial v £ F g [t]. If a is a root of this polynomial, 
then k = F 9 (a), O v = k[[t — a}] and K v = fc((t — a)), see also Sectional 

After multiplying if necessary / by an element of O, we may assume / 6 
By Hensel's lemma, the factorization of / can be lifted to a factorization 

in K V [X] where If G K C if„ is the leading coefficient of /, and /i,...,/ r are 
monic and irreducible in We choose v so that / e and ^/ does not 

vanish mod v, so /i, . . . , f r £ O v [X]. In actual computations, elements of O v are 
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computed modulo v for some i > and lifted to O. For a G O v we write "a mod 
v for such a lift of a to C This notation is extended to 0i,LY] coefficient wise. 
By Hensel lifting the irreducible factors of / we can compute ft,..-,f r mod v for 
any fixed I > 0. 

Let g G K[X] be a monic irreducible factor of /. Then 

.</ /: : •••/;• 

where 6i G {0, 1} for all 1 < i < r. Hi is large enough compared to a bound on the 
coefficients of g, we may test for given e\, . . . , e r G {0, 1} whether fl 1 ■ • ■ f e r T G if [A] 
by computing ^//f 1 • • • f^ r mod u and checking whether this divides / in if [X]. 
This time, the lift ". . . mod v to 0[X] is not arbitrary. Choosing the right lift is 
straightforward if K is Q or ¥ q (t) since there are canonical minimal lifts to O, but 
requires care for general global fields (see [Bel03 for the number field case) . 

The Zassenhaus algorithm finds the by an exhaustive enumeration, which 
works very well if r is small or the if-rational irreducible factors are plentiful. Oth- 
erwise, we face combinatorial explosion and exponential behaviour. The landmark 
paper by Lenstra et al. |LLL82| avoids this combinatorial problem by constructing 
if -rational factors with lattice basis reduction (LLL reduction). The original pa- 
per assumes if = Q, but was suitably generalized by Arjen Lenstra Lcn82 (K a 
number field), then Pohst and Mendez PO03] (K any global field). Unfortunately, 
although this algorithm runs in polynomial time, it is rather slow in practice since 
its worst case bounds require Hensel lift to huge accuracy, followed by the LLL- 
reduction of correspondingly huge lattices. Mark van Hoeij Hoc02 came back to 
the combinatorial problem and used a knapsack approach to solve it for K = Q, 
this was generalized to number fields by Belabas |BelQ3| . These two papers stated 
no complexity bound. We shall describe a similar idea over a general global field 
K, and show it runs in polynomial time, although details will only be provided for 
the cases K = Q and K = ¥ q (t). 

2. Notations 

Throughout the paper we will use the following notations: Let if be a global 
field of characteristic p > with maximal order O. We want to factor a separable 
polynomial / G K [X] of degree n > 1. After multiplying by an element of K we 
may assume that / £ 0[Jf]. Let v be a non-archimedean place of O. We denote by 
K v the completion of K at v, with maximal order O v , maximal ideal v and finite 
residue field k. Let / be the image of / in k[X], and assume that / is still separable. 
We also assume that the leading coefficient if G O of / does not vanish mod v, so 
the degree of / is still n. In the number field case, instead of working with O we 
can work with a subring of O if the computation of O is too costly, see (Bgl03 . 

We have the factorizations into irreducible elements 

f = £ f ff-f r eO v [X], f=i f ff-f r ek[X], and f = e m ---g s eK[x}. 

Furthermore, ijgi G Obviously 1 < s < r < n. We call the fi the local 

factors and the gj the K -factors. We can not compute fi G Ou[A"] with infinite 
accuracy, but for any positive integer i we can compute fi mod v , which is in 
0[X]. ' 
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3. General description 
Our method relies on two main ideas: 

3.1. Linearize. The logarithmic derivative is a group homomorphism from the 
multiplicative group K V (X)* to the additive group K V (X), and has kernel K V (X P )*. 
The hrst main idea is to multiply this by /. Then we obtain the following group 
homomorphism : 

*:K v (X)*/K v (X*y -> K V (X) 

g fg'/g- 

If g is in the subgroup of K V (X)* / K V (X P )* generated by the local factors /j, 
then $(<?) £ [X], If g is in the subgroup generated by the isT-factors gj, then 
$(<?) £ 0[X}. To see this, take one such gj. Take any prime ideal of O and let w 
be the corresponding valuation on K, which is extended to a valuation on K[X] by 
taking wi^CiX 1 ) = mini w(ci). Now $(gj) is the product of g'j and f/gj, both of 
which are in if[A"], but since w(g'j) > w(gj) we get w(fg'j/gj) > w(fgj/gj) which 
is > since / £ C[A]. So the valuation of &(gj) € K[X] is non- negative for any 
prime ideal of O and hence <&(<?.,) £ 0[X]. 

Compared to the original algorithm of van Hoeij Hoe02] > we have replaced power 
sums by / times the logarithmic derivative. To show the connection we will define 
power sums. Let g £ K [X] be a monic separable polynomial. Let a\, . . . , a m the 
zeros of g in an algebraic closure of K. For j > 0, the j'th power sum (j-th "trace") 
of g is: 

m 
i=l 

It is known that 

g'/g = Y,^j{9)X- i -\ 

j>0 

which shows the relation between g' / g and power sums. Despite this relation, our 
"/ times g' j g approach!' turns out to be more convenient for complexity proofs 
than power sums, and can also have practical advantages, particularly when / is 
not monic. 

3.2. Approximately solve knapsack. Let G v C K V (X)* / K V (X P )* be the sub- 
group generated by the local factors. Our goal is to find the subgroup G C G v 
generated by the irreducible if- factors of /. To do this we first construct the 
"knapsack lattice" L in a similar way as in |HoeQ2j , except that instead of traces 
(power sums) of fj we use the coefficients of We then reduce this lattice, 
which means F p -linear Gaussian elimination if p > 0, and LLL otherwise, for details 
see Sections ^ and |S1 Large basis vectors are then discarded, yielding a sublattice 
L' of L, associated to a subgroup G' of G v . 

3.3. Conclude. 

Theorem 3.1. We have G = G provided t is large enough. 

Proof. We will only sketch the proof, leaving the details to Sections 01 and [SJ If 
G' is strictly larger than G, then by Lemma 13.21 below, it contains an element, 
represented by a rational function g £ K V (X)* , g £" K V (X P )*, such that 
(1) At least one fi divides <&(g), 
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(2) None of the g^ divide &(g) where the bar indicates reduction to k[X], 

(3) H := <f>(g) mod v e is "small". 

Indeed, it is a small perturbation (see Lemma l3~2l below') of a vector in the 
LLL basis of V that is small otherwise it would have been discarded. 

The clumsy argument for the third condition is only needed if p = 0. If p > 0, 
all elements of L' are small. Now, let g be as above, H :— &(g) mod v , and 
R := Res(f,H). Then 

• Res(/, &(g)) — 0, hence v e \ R. In fact, v ta \ R where a is the sum of the 
degrees of the fi that divide <&(<?). Item (1) above implies a > 0. 

• R ^ 0, because if R was zero then H would be divisible by some gj so H 
would be divisible by some Tjj, contradicting item (2) above. 

One obtains a contradiction if v is larger than R. Since R is the determinant of 
the Sylvester matrix of / and H, one obtains a bound that is polynomial in terms 
of the sizes of / and H. □ 

Lemma 3.2. Suppose G C G'. Then there exists an element g £ G' \ G such that 

(1) fi | jKff) £ O v [X] for some l<i<r. 

(2) g j | $(<?) for all 1 < j < s. 

Proof. Elements g S G v can be written in the form g — f^ 1 ■ ■ ■ f^ r ■ K V (X P )* where 
the integers ei are defined mod p. We view a as element of Z/pZ, and then define 
the support of g as Suppg = {i \ ei ^ 0}. Since the fi are pairwise coprime and 
irreducible in O v [X] , we have 

fiim) i^j- 

So /i | $((?) iff ei is zero in Z/pZ, and ^ | $((/) iff Suppt; p| Supp ^ = 0. 

The supports of gi, . . . , g s form a partition of {1, . . . , r}. Choose any element 
j £ G'\ G. For all 1 < j < s with Supp^j n Suppg = 0, replace g by g^g. Then 
condition (J2J is satisfied (recall that / is separable) , and g is still in G' \ G. Write 
this g as fl 1 ■ ■ ■ f^ T • K V (X P )* with S Z/pZ. Since g is not in the group G 
generated by gi, . . . , g s , there must be some gj for which 5^ := {ei \ i € Supp^j} 
contains more than one element. Then take an element e £ Sj and replace g by 
gjg e y Now g satisfies both conditions and J5J. □ 

Remark 3.3. Given any g £ G 1 \ G, the above proof shows that a "small change" 
suffices to obtain an element of G' \ G that satisfies conditions (1) and (2). 

We have sketched a general proof and omitted the details. Filling in these details 
is easy for the case K — ¥ q (t) discussed in Section[SJ The details for K = Q require 
more work, which is what we will do now. 

4. The case K = Q 
For / £ C[X] with leading coefficient If, let 

M(f) := \i f \ J] l«| m " 

be the Mahler measure of /, where the product is taken over all roots a £ C of / 
with absolute value > 1, and m a is the multiplicity of the root a. 
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Lemma 4.1. If f,g £ C[X] and g \ f then 



n-1 , 

= V a t X l £ C[X], with \<n\ < B, := ( . )nM(/). 



Proof. We may assume <j is not a constant. Then the degree of <&(<?) € C[X] 
is ri — 1. The Mahler measure of &(g) is bounded by deg(<?)M(/) since M(A') < 
deg(A)M(A), see |Mah61| . and M(AB) = M(A)M(B) for any A, B e C[X ] |MS99l 
p. 79]. Bounding deg(g) by n, the upper bound now follows by |MS99I Lemma 
2.1.9]. □ 

We restrict to the case K = Q, for a general number field follow |Bel03| . We use 
the notation Z[X]<„ for all polynomials in Z[X] of degree < n. We use ||.|| 2 for the 
L 2 norm on both Z" and Z[X] <n . 

Corollary 4.2. With f £ Z[X] and 5 any factor of f in Q[X], we have &(g) £ 
1\X] <n and 

||$(5)|| 2 <5(/):=2"- 1 n||/|| 2 . 

Proof. That $((7) is in C[X] was proven in Section 1X11 Using Lemmata 2.1.8 and 
2.1.9 in MS99 we get that ||$(g)|| 2 < 2 n - 1 M{$>(g)). As in the proof of Lemma 
IO we get that 2 n - 1 M($(g)) < 2™" 1 nAf(/). Corollary 2.1.5 in |MS99j states that 
M(h) < \\h\\ 2 for all non constant polynomials h which finishes the proof. □ 

For 1 < j ' < s write the monic irreducible ii"-factors as gj — fi' 3 ' 1 ■ ■ ■ f r 3,r with 
Wj i, . . . , Wj_ r £ {0, 1} and write Wj :— (wj } i, . . . , Wj, r ) £ IT where tr denotes the 
transpose. Denote W — 7Lw\ + ■ ■ ■ + 1w s . 

If we have any basis U\, . . . ,u s of W then we can find {wi, . . . , w s } by computing 
the reduced echelon form of u±, . . . , U s , or by using the following shortcut: write 
{1, . . . , r} as a disjoint union of subsets in such a way that i,j are in the same 
subset iff the i'th and j'th entry of u are the same for every u in ui, ■ ■ ■ , u s . 

In the following let I r be the identity matrix of dimension r and define for 
1 < j < r the a.ij via 

-1 

di 

i=0 

Define the all- coefficients lattice L as the span of the columns of the following 
matrix: 

, a o,i ' ' ' a 0,r 

A: = [ / I j where A Y := 



mod v e — 1 



\P>n — 1,1 ' ' ' Qn—l,r/ 

For e = (ei, . . . , e r+ „) tr £ L we denote the corresponding element ^{fl 1 ■ ■ ■ fr r ) of 
$(G„) as POL(e). Each Zf-factor gj corresponds to a vector in L we denote by 

Wj, whose entries come from Wj and $(gj). Then \\wj\\ 2 < \J\\ w j\\2 + B 2 < B' := 
Vr 2 + B 2 where B = B(f) is as in Corollary 14.21 

Theorem 4.3. Let f £ 1\X\ separable and B' as above. Let bi,...,b n an LLL- 
reduced basis for the all- coefficients lattice L, let 6*,..., 6* the associated Gram- 
Schmidt orthogonalized basis, and let t the smallest index such that ||&J|L > B' for 
all j > t. Let L' := Zb 1 H \-Zb t .If 

(1) v i l n >\\f\\ 2 (T- 1 +n)B'{l + B'). 
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then the projection of L' on the first r entries is W. 

Proof. It follows from the proof of (1-11) in |LLL82| that every w £ L with ||w|| 2 < 
B' is in L' . So Wi,...,(i 8 £ L' and hence the projection of L' on the first r 
entries contains W . Assume it is strictly larger, then POL(6 u ) ^ &(G) for some 
1 < u < t. From the properties of LLL-reduced bases, |]& u || 2 < 1* B' i where 
7 > 4/3 is a number that can be chosen in the reduction algorithm (one may set 
7 := 2 as in the original LLL paper). More precisely, ||£>*|| 2 < 7* _u ||&tll2 ancl 

HM 2 < 7" _1 Il 6 «ll2 for a11 u < 1 < n - 

Using Lemma 13.21 as in the proof of Theorem 13.11 one can show that there exists 

a vector g £ L' such that fi | POL(g) for some 1 < i < r, and v e \ Kes(f,H) 7^ 0, 

where H := POL(g) mod v . From the proof of Lemma 13.21 this vector g may be 

obtained by first adding a subset of {wi, ... ,w s } to b u , yielding a vector b such 

that 

||fo|| 2 <(7 t - 1 +^', 

and then by adding to b a vector of the form ewi for some integer e with |e| < 
l&U < l|6|la- ^nce 

\\H\\ 2 <\\g\\ 2 <tf-i+s)B>(l + B'). 
From the preceding discussion and Hadamard's bound, 

and we may bound degiJ, s,t < n to derive a contradiction with Q). □ 

From this theorem, we obtain ilogv — 0(n 2 + nlog ||/|| 2 ). Since Hensel lift- 
ing and lattice reduction are polynomial time algorithms, we see that W can be 
computed in polynomial time. 

Although there is no practical reason for doing so (since power sums do not 
offer advantages over coefficients of <&), one could now use the relation between 
power sums (called traces in Hoc02 ) and $ to show the algorithm in HoeT)2| is 
polynomial time provided that one uses what we call the all-traces version of the 
algorithm. This version uses all of the traces numbered 1, . . . , n — 1 at the same 
time, so the lattice reduction takes place in Z r+n_1 . From a practical point of view, 
the all-traces and all-coefficients versions are slow and thus not interesting. 

The main question is whether practical versions of the algorithm run in polyno- 
mial time. Using one trace at a time works very well in practice, see |Bel03| . We 
will show that the "one coefficient at a time" version factors in Q[X] in polynomial 
time (the same must then also be true for one trace at a time). 

Let Bi be the bound for \ai\ given in Lemma 14.11 For < i < n — 1 and 
.9 £ K V {X)* write T{(g) £ 7L the coefficient of X 1 in $(5) mod v l . Let T,(g) := 
T' l (g)/B l £ Q. Now Lemma PI savs that if g is a if-factor of /, then \T,(g)\ < 1. 

Proposition 4.4. One can compute a sequence of lattices L„_i, L„_ 2 , . . . , Lq with 
the following properties: 

(1) U = L n _ x D L„_ 2 • • • D L D W 

(2) Li = Ui t i + • • • + Voi^ i for some integer and some vectors bij £ Z r with 
the following properties: 

(a) ||M 2 <(r + 2)7*-. 

(b) Ifb itj = (e x , . . . , e r ) tr then T^/f • ■ • f^) < (r + 2)Y 
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where 7 > 4/3 is a number that can be chosen in the reduction algorithm (one may 
set 71=2 as in the original LLL paper). 

Proof. If i = n — 1 we may take . . . , 6j,r» as the standard basis of IT. If 
i < n — 1 then we may assume that Li+i = 1bi-y\,\ + ■ ■ • + Z6i+i >ri+1 has been 
computed and define b'j as follows: First write = (ei, . . . , e r ) tr , then compute 

a := eiTi(/i) + • ■ ■ + e r Ti(f r ) and set 6^ := (ei, . . . , e r , a) tr e Z r x Q. Now let 

L' := Z6j H h Z6;. +1 + ZP where P = (0, . . . , 0, v l / Brf* . Let 61, 6 2 , ... be an 

LLL-rcduced basis of L' , let 6 1; 6 2 , ■ ■ ■ the associated orthogonalized basis, and let 
Ti be the smallest index such that ||^|| 2 > r + 2 for all j > 7*j. Now define &£j as 
the projection of 6j on the first r entries and let Li :— Zb^i + ■ ■ ■ + Z6,- )r< . 

Consider the vector uij corresponding to the if-factor gj and let «;'■ be the 
corresponding vector in L' . The first r entries of w^- are in {0, 1}, and the last 
entry equals Ti(gj) € Q which has absolute value < 1 by Lemma 14.11 Hence, 
||wj|| 2 ^ v 7 ^ + 1 < r + 2. Then it follows from the proof of (1.11) in |LLL82j that 
Wj e Li and hence W C Li. By the properties of an LLL-reduced basis, we have 
||6j |L < (r + 2)7 r when j < rj which implies (2a) resp. (2b) since projecting on the 
first r entries resp. last entry does not make a vector longer. 

The lattice L 1 to be reduced was in Z r x Q. Lattice reduction in Z r+1 is more 
efficient, so we round each of the numbers Tj(/i), . . . ,Ti(f r ),v e / Bi to the nearest 
integer. Then we obtain a lattice V C Z r+1 but now we have introduced rounding 
errors. Consider again the vectors Wj S W and w'j G L'. If Wj has a entries equal 
to 1, then the last entry of w'j is the sum of a of elements of {Ti(fi), . . . , T,(/ r )} 
plus an integer in the interval (—a/2, a/2) times v l /Bi. We introduced an error 
< 0.5 in each of the numbers T,(/i), . . . , Ti(f r ), xr /Bi. Then the total rounding 
error in the last entry of w'j is less than 0.5(<r + a/2) which is less than r, so this 
entry will have absolute value < r + 1. Then ||u>j-|L < sja + (r + l) 2 < r + 2. The 
proposition is stated with r + 2 instead of \Jr + 1 so that the bounds can still be 
used for practical implementations that round Ti(/i), . . . , Ti(f r ), v l / 1 Bi to Z. □ 

If L i+ i is known, then the computation of Li in the proposition involves a lattice 
reduction in Z r+1 of a lattice with determinant v e /Bi (rounded to the nearest 
integer). If v /Bi is large, then we get a big practical improvement by doing this 
lattice reduction incrementally in the way it is described in Section 2.4 in Bcl03 , 
reducing one large-determinant lattice reduction to a sequence of smaller lattice 
reductions that at the end produce the same result. 

Lemma 4.5. With the notations of Proposition the following holds for every 
n — 1 > i > i' > 0. If e = (ex, . . . , e r ) tr is an element of {&•£', 1, . . . , by )T ., } then 

Proof. The entries of the b^j and e are bounded by (r + 2)7 r = 2°^ r \ Since 
e € L^ C L,; we can write e = X)j=i c jbi.j f° r some Cj G Z that can be found by 
solving linear equations. With Cramer's rule one finds \cj\ < 2 0{ - r2 \ Multiplying 
this by Ti and by the bound given in (2b) in Proposition l4.4l one obtains the bound 

2 0(r 2 )_ □ 

Theorem 4.6. Lq = W for some £ with ilogv polynomially bounded in terms of 
the degree of f and log ||/|| 2 - 
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Proof. If Lq ^ W then let e be one of the vectors bo j from Proposition 14.41 that 
is not in W. Write e = (e x , . . . , e r ) tr and g = ft 1 ■ ■ ■ . Write = £ c < x ' ' ■ 
Then the corresponding vector in the all-coefficients lattice (see Theorem 14.31) is 
e := (ei, . . . , e r , cq, . . . , c„_i) tr where cq, . . . , c n -i are bounded in absolute value by 
2°( r ) by Lemma f4. 51 Applying the process in the proof of Lemma f3. 21 we obtain 
a new vector e' whose length differs at most (s + max{ei, . . . , e r })B' from e. The 
last n entries of this vector are the coefficients of a polynomial H £ Z[X]< n and 
we have v e | Res(/, H) ^ in the same way as in Theorem 14.31 This implies that 
log?/ is polynomially bounded. □ 

We propose to implement the "one coefficient at a time" approach in the following 
way: start with a value for £ that is at most as large as what one would use in the 
Zassenhaus approach. Then, compute L n -\, L„_2, ■ ■ ■ until we find W. If we reach 
Lq and we still have not found W then we must increase £. The computation of 
each Li should be done using the incremental strategy of Section 2.4 in [Bcl03 . 
Then one has a polynomial time algorithm that runs very well in practice, with 
running times that are essentially the same as those reported in Bel03 for 

5. The case K = ¥ q (t) 

Now O — F q [t] , and the place v corresponds to an irreducible polynomial in ¥ q [t] , 
which we shall also denote as v. Let / € C[^]- We want to factor /, viewed as 
element oiF q (i)[X]. We assume that / is separable. Denote a as a root of v G F q [t], 
then the residue field k = F q [t]/(v) is isomorphic to F q (a). We choose v in such a 
way that /, the image of / in k[X], is squarefree and of the same X-degree as /. 
We get the factorization 

f = iffi---frek[X}. 

Representing t — a with a new variable t, the map t i— ► t + a is an isomorphism 
from F q [t]/(v e ) to F q (a)[t]/(r). Taking limits, one finds an isomorphism from 

O v =lim¥ q [t]/(v e ) 

to 

F q (a)[[t\]=]imF q (a)[t\/(i i ). 
By Hensel's lemma, we get a factorization 

f = £ f fi---f r eO v [X]. 

If g € we denote "g mod v e " as the unique lift of g to F q [t,X] whose t- 

degree is smaller than the t-degree of v e . We can not compute fa £ O v with infinite 
accuracy, however, for any integer I > we can compute fa mod v £ , which is an 
element of F q [t, X}. 

Note that the above technicalities with O v become easier if we take v = t so that 
t = t. However, we can not always do this, we can only take v = t if f(t = 0, X) is 
square-free and of the same degree as /. 

Lemma 5.1. Let g £ F q [t][X] be a polynomial which divides f then 
n-i 

= a i(*K € F q [t][x] with deg(a 4 ) < B t := deg t (/), 
where deg t denotes the t-degree. 
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Proof. From $(g) = fg'/g we get deg t (<%)) + deg t (g) = deg t (g') + deg t (/). Since 
deg t (g') < deg t (g) we get the wanted bound. □ 

The idea is as follows. Let g £ G v . If the degree of one of the coefficients of $(<?) 
mod v exceeds the degree bound Bi then g is not a if -factor of /. We use this to 
replace the Zassenhaus combinatorial search by linear algebra. 

As in the rational case we introduce the lattice W C (Z/pZ) r generated by the 
exponent vectors of the monic irreducible factors g\ , . . . , g s of / in F g (t) [X] . Let L 
be some subspace of (Z/pZ) r that contains W. We start with L = (Z/pZ) r . For 
e = (ei, . . . , e r ) tT £ L we denote by POL(e) the polynomial 

$(/r---/ r er ) mod v e . 
Our goal is to compute a subspace of V C L which still contains W . Write 

n-l 

POL( £j ) = a i,i xi (1 < i < r) 

i=0 

where e\, . . . ,e r is the standard basis of (Z/pZ) r . Let rrii = Bi + 1 and let a be the 
t-degree of v l . We define 

(t> mi (^2c k t k ) := (c mi! . . . ,C CT _i) tr 
fc 

and 

A, := (4> m , (Oi,l) • • • (Oi, r )) 
which is an (a — ra.;) x r matrix with entries in ¥ q , and Aie — for all e £ W. 
Now L and VF" are subspaces of and Aj is defined over ¥ q . For q — p w write 
F 9 = F p 7! + • ■ • F p 7 u and define 

w 

;=i 

where tr denotes the transpose. We define A, as follows: replace every entry c of Aj 
by ip{c). Since ^i(c) is a column vector (because of the transpose in its definition) 
with w entries we see that Aj is an w(a — mi) x r matrix with entries in ¥ p . We 
still have Aie = for all e £ W. Now let L' be the intersection of the kernels of 
Ao, . . . , Ai-i- Then L' contains W. 

Let .B be a degree bound which can be easily computed using Theorem KLlI E.g. 
we can take B = (2n — 1) deg t (/) when we use the estimate from Lemma f5. II and 
the properties of the Sylvester matrix. Theorem l3.ll guarantees that V will be W 
when a (the t-degree of v ) is larger than B. Altogether we have proved 

Theorem 5.2. If the t-degree of xr is larger than (2n — l)deg t (/) and L' is the 
intersection of the kernels of Ai, i = 0, . . . , n — 1 then U = W . This leads to an 
algorithm that produces the factorization of a separable polynomial f £ ¥ q [t][X] in 
polynomial time. 

Remark 5.3. If the total degree of / as bivariate polynomial is n, then one can 
replace Bi :— deg t (/) in Lemma I^TI bv Bi := n — 1 — i. The proof is essentially the 
same, except that the degree w.r.t. t should be replaced by the total degree. Then 
we can replace (2n — 1) deg t (/) by n(n — 1) in the above theorem. 



10 



KARIM BELABAS, MARK VAN HOEIJ 1 , JURGEN KLUNERS, AND ALLAN STEEL 



Remark 5.4. In BLSSW04] the authors followed our "/ times g'/g" approach 
found in a previous version of this paper and were able to improve the quadratic 
bound n(n — 1) to a linear bound when p > n(n — 1). 

Note that in an implementation, one would start with a small value for £, in- 
creasing £ as long as L' is not W. To improve practical performance, we can replace 
the bounds Bi from Lemma |5. II or Remark 15.31 bv the sharper bound given in the 
lemma below. 

Denote N(f) C K 2 as the Newton polygon of /, which is defined as the convex 
hull of all points for which the coefficient of t l X^ in / is non-zero. If Si, Si C 
R 2 then define Si + S 2 := {si + s 2 | si G Si, s 2 G S 2 }. 

Lemma 5.5. Let B, := sup{m G N | (m, i) £ N(f) + {(0, —1)} }. Let g G F 9 [t] [X] 
be a polynomial which divides f then 

n-l 

= ^a i (t)x i G F g [i][x] with deg(a,) < Bj. 

Proof. It is well known that N(gh) = N(g) + N(h) for all g,h G ¥ q [t,X}. It 
is also clear that N(g') C N(g) + {(0,-1)}. Then N{${g)) = N(f/g ■ g') = 
N(f/g) + N(g') C N(f/g) + N(g) + {(0, -1)} - N(f) + {(0, -1)}. □ 
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